In recent months, serious cyberattacks have once again brought hackers and cybercriminals into the news. These modern-day pirates have proven themselves to be creative, persistent, and devious in their efforts to gain illicit access to private employee data as well as company intellectual property and trade secret information.
Employers must be especially vigilant because of the wide range of intensely personal, private information about employees and applicants that they routinely collect and retain. All employers should ensure that they are doing everything reasonably possible to deter, detect, and deal with cybersecurity threats. Given the nature of the most common threats, employee awareness of the dangers posed by cybercriminals is the first line of defense against cyberattacks–and may be the most effective.
The hacking threat to which employers are most vulnerable is “phishing.” Phishing involves a cybercriminal sending an email or other electronic communication that appears to come from a legitimate or trusted source. The communication might contain a link to a malicious website; a request for the recipient to “verify” or enter bank, credit card, or other private information; or a seemingly legitimate directive for the recipient to turn over or divulge confidential information to the sender.
Phishing Scams
Access to W-2 tax forms is valuable to cyberthieves because they contain all the information a criminal needs to fraudulently file for and ultimately pocket tax refunds, including the victims’ names, addresses, Social Security numbers, and wage and withholding information. In a recent scam aimed at several businesses across the country, emails that were purportedly from a company executive were directed to someone in the payroll or human resources department of the target companies, expressing an “urgent” need for the W-2 forms of one or more named individuals. When the payroll offices “complied” by sending the sensitive documents to the purported executive, cyberthieves pounced and scooped up the personal data.
Ransomware–The New Frontier
A relatively new form of cyberattack, “ransomware,” involves the insertion of malware on a victim’s system. Ransomware encrypts data on the target system, rendering the information inaccessible or unusable by the victim. Cybercriminals then demand that victims pay a ransom in exchange for the software key to unlock the encryption and restore access to their data. Such attacks are increasing in frequency, scope, and effectiveness. Many businesses targeted by this scheme have refused to pay and lost their data–but many others have relented.
On May 12, 2017, cybercriminals launched a worldwide ransomware attack (variously dubbed “WannaCry,” “WannaCrypt,” and “WanaCrypt0r”) that reportedly infected as many as 230,000 computers in 150 countries. The malware exploited an apparent vulnerability in underlying operating system software. The attack affected a broad cross-section of public and private entities, including the National Health Service in Great Britain, FedEx in the United States, Telefonica in Spain, and several Nissan Motor and Renault manufacturing locations.
Many companies were advised not to pay the ransom in the hopes that their data might be recoverable without the hackers’ cooperation–and because payment was not a guarantee that the criminals would or could restore the data. Fortunately, most systems did not sustain significant damage from the attack, thanks largely to analyst who was able to slow the progress of the infection, allowing time to create several operating system updates that abated the attack.
Ransomware attacks are poised to become more prevalent because they are cheap and easy to launch. They will likely be aimed at companies and industries (like hospitals) perceived as willing to pay a ransom because of the sensitive nature of their data and their need for ready access.
Precautions Your Business Can Take–Now
While it may be impossible to prevent cyberattacks, all companies should take steps to lower their risk and minimize the damage should an attack occur. The following four-step plan is a good start:
1. Install the Proper Hardware, Software, and Updates.
Conduct security assessments that comprehensively review current software systems and associated applications to identify any vulnerabilities. Follow it up by promptly implementing any required updates to the existing software. Employers should also periodically assess their hardware to ensure that their computer systems have the capacity to implement state-of-the-art cybersecurity defense system software, current virus and malware definitions, and firewall protections.
The proper maintenance of cybersecurity software and required hardware are fundamental components of any plan to help protect private information and company trade secrets from cyberthieves. Employers might also consider segregating vital data stores from less sensitive data, allowing only those employees with special access controls and more rigorous authentication protocols to access sensitive data, or installing a software filter which prevents important documents (such as W-2 forms) from being accessed and transmitted without authorization from designated personnel or management.
Phishing is often a crime of convenience. Any actions that make it more difficult for cybercriminals to gain access to sensitive data or a computer system might be enough to cause the thieves to seek easier prey.
2. Train Employees and Enact Appropriate Policies.
Because phishing depends on employees who are careless, inattentive, or oblivious to the danger of cyberthreats, employee awareness is the first line of defense. Training employees on the dangers of phishing and how to recognize and avoid threats is the most important preventative measure a company can take against cyberattacks.
Employers should also consider enacting policies and practices that (1) clearly articulate the company’s commitment to data protection and its procedures for protecting sensitive personal and company data; (2) restrict the number of employees who have access to sensitive and legally protected data, including that of customers and fellow employees, as well as company intellectual property and trade secret information; and (3) indicate (and possibly restrict or regulate) whether employees may access personal email accounts or social networking sites on company computer equipment. Employers should also evaluate the risks and benefits of letting employees use personal devices (such as smartphones, laptops, and tablets) to connect to company systems.
3. Create A Disaster Response Plan In Case an Incident Occurs.
Attacks may occur despite an employer’s best efforts at preparedness. It is therefore important to have a dedicated disaster response plan in place to identify and neutralize any threat or data security incident; ensure a proper technical and administrative response; promote minimal damage; and rapidly restore the system and workforce.
Employers should establish and maintain secure, comprehensive data backups that are updated regularly and will not be affected if the main system is compromised. A disaster response plan should also include directives on how to:
- notify legal counsel immediately, thereby invoking confidentiality protections;
- interface with law enforcement (as necessary);
- comply with data breach notification requirements for all required jurisdictions;
- notify individuals who may have had personal information compromised; and
- address media and social media publicity, to minimize reputational damage to the enterprise or brand.4. Purchase A Comprehensive Insurance Policy To Cover Any Incidents.
Finally, employers should consult with insurance representatives who can assess the level of coverage the company needs and recommend an appropriate cyber liability and/or cybercrime policy in order to transfer some of the risk associated with cyberthreats and harm.
Conclusion
If employers fail to prevent the unauthorized loss or disclosure of protected personal information about identifiable individuals, they risk violating state and federal laws and exposing themselves to government enforcement actions, civil litigation, and potentially staggering levels of financial liability and reputational harm. Some costs, such as the theft of intellectual property or trade secrets, may be incalculable.
The legal consequences, however, are only the beginning. Cyberattacks can cause unnecessary disruptions in the workplace, poor morale, and negative publicity, harming both the organization’s mission and its bottom line. Employers must act in advance to review and update security measures and ensure the creation of a data breach response protocol. Companies that institute preventative cybersecurity measures, and whose response to such incidents is immediate and informed, will significantly reduce their risk of exposure to cyberattacks and will be prepared to rebound quickly should an incident occur.
If you would like to learn more about how Prince Lobel can help you implement cybersecurity measures for your business, contact Joseph L. Edwards, Jr., 617 456 8131 or jedwards@princelobel.com, the author of this alert, or William S. Rogers Jr., 617 456 8112 or wsrogers@princelobel.com, chair of Prince Lobel’s Data Privacy and Security Group.